From b0c9bc1d2d7fd427c5429fcf2f0bbfa792e6f0f2 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Tue, 6 Jul 2021 14:27:29 +0200
Subject: [PATCH] fix invalid field name EventID 6416

---
 rules/windows/builtin/win_external_device.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/builtin/win_external_device.yml b/rules/windows/builtin/win_external_device.yml
index 2ddd7bc23..927efa231 100644
--- a/rules/windows/builtin/win_external_device.yml
+++ b/rules/windows/builtin/win_external_device.yml
@@ -1,9 +1,10 @@
-title: External Disk Drive or USB Storage Device
+title: External Disk Drive Or USB Storage Device
 id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
-description: Detects external diskdrives or plugged in USB devices
+description: Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later
 status: experimental
 author: Keith Wright
 date: 2019/11/20
+modified: 2021/07/06
 tags:
     - attack.t1091
     - attack.t1200
@@ -16,7 +17,7 @@ detection:
     selection:
         EventID: 
             - 6416
-        DeviceClassName: 'DiskDrive'  
+        ClassName: 'DiskDrive'  
     selection2:
         DeviceDescription: 'USB Mass Storage Device'
     condition: selection or selection2